Trojan in install-tl-windows.exe reported by Windows Defender

Andrea GINI andrea.gini at sns.it
Sun Jun 18 14:59:38 CEST 2023 

Update: I was able to verify the pgp signature on the sha512 file with the
public key. The problem was that I needed to check the fingerprint of the
public key and certify myself that fingerprint. I retrieved the fingerprint
from: https://www.tug.org/tug2016/slides/preining.pdf on page 38 (Key
fingerprint = C78B 82D8 C795 12F7 9CC0 D7C8 0D5E 5D91 06BA B6BC).

Since the fingerprint of the public key is the same as the one retrievable
from another trusted source (the public pdf), I was able to tell Gpg4win
that the public key was valid and I validate the public key. In that way,
checking the sha512 file and its signature:

Verified ‘install-tl-windows.exe.sha512’ with
‘install-tl-windows.exe.sha512.asc’:
Valid signature by tex-live at tug.org


What I first missed is that I needed to create a personal key in order to
manually validate the texlive public key with the fingerprint.


Best


Andrea

Il giorno dom 18 giu 2023 alle ore 12:59 Andrea GINI <andrea.gini at sns.it>
ha scritto:

> Il giorno sab 17 giu 2023 alle ore 11:31 Siep Kroonenberg <
> siepo at bitmuis.nl> ha scritto:
> > This link points to an automatically selected mirror
> > https://mirror.ctan.org/systems/texlive/tlnet/install-tl-windows.exe
>
> Ok, now I know that the link automatically downloads from a mirror.
> Update: Windows defender continues to report the installer as a precise
> trojan (Trojan:Win32/Wacatac:B!ml). VirusTotal only reports 1 threat over
> all the other scanners. For Malwarebyte the installer is clean.
>
> Il giorno ven 16 giu 2023 alle ore 15:27 Norbert Preining <
> norbert at preining.info> ha scritto:
> > In addition, the installers are signed with our GPG key, that allows you
> > to verify the integrity.
>
> I'm on windows and I'm not literate enough about certificates. I've
> installed Gpg4win and downloaded the installer, the sha512 file, the pgp
> file related to the sha512 and the pgp file called texlive.
> The last one is the same as loading the key from the server inside Gp4win
> searching for Tex Live or for tex-live at tug.org but Gpg4win reports that
> the trust level is unknown.
>
> If I verify the sha512 file and its signature, Gpg4win reports:
> Verified ‘install-tl-windows.exe.sha512’ with
> ‘install-tl-windows.exe.sha512.asc’: The certificate could not be
> certified. Error: 1
>
> TeX Live Distribution <tex-live at tug.org> (0D5E 5D91 06BA B6BC) The used
> key is not certified by you or any trusted person.
>
>
> This is very possible due to my ignorance on certificates :P
>
> I followed a quasi-tutorial for checking the iso of a linux distro, but
> Gpg4win in the first place reports that the user id for texlive.asc is "not
> certified" when I load the certificate (maybe I shouldn't have imported the
> texlive.asc but the key needs to be retrieved directly from a server?).
>
>
> The SHA512 file and the SHA512 computed for the installer are indeed
> identical. Is the PGP validation that is new to me.
>
>
> Il giorno sab 17 giu 2023 alle ore 11:31 Siep Kroonenberg <
> siepo at bitmuis.nl> ha scritto:
>
>> On Sat, Jun 17, 2023 at 11:17:53AM +0200, Andrea GINI wrote:
>> > I didn't quite understand the last sentence. I downloaded the installer
>> > directly from https://www.tug.org/texlive/windows.html.
>>
>> This link points to an automatically selected mirror:
>> https://mirror.ctan.org/systems/texlive/tlnet/install-tl-windows.exe
>>
>> --
>> Siep Kroonenberg
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://tug.org/pipermail/tex-live/attachments/20230618/6477a5da/attachment.htm>

More information about the tex-live mailing list.